Hi,
I recently moved our library catalogue service to a new server running ipfilter 4.1.3 on Solaris 9, and old PCs used as dedicated catalogue terminals stopped working. After some investigation I found that these machines (running DOS) set the PUSH flag on their initial SYN packet, which ipfilter drops when "keep state" is specified. The code that does this in in fil.c, around line 943 (and seems to still be there in ipfilter 4.1.7).
I was able to work around the problem by removing "keep state".
Is there a standards-based reason why ipfilter marks such packets as bad, or is it just that they are almost never seen? I can see that it makes no sense to set PUSH in a SYN packet, but I just wanted to know if the old PCs are violating some standard or if this is a design decision of ipfilter.
Thanks - Ian
-- Ian Chard, Unix & Network Administrator | E: [EMAIL PROTECTED] Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 204937
